Skip to content

Commit 9a2a561

Browse files
committed
docs: README v0.3.4 — security fixes table, key encryption, updated roadmap
1 parent bf40f6f commit 9a2a561

1 file changed

Lines changed: 64 additions & 17 deletions

File tree

README.md

Lines changed: 64 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
> The first Bitcoin-native browser with integrated Lightning wallet, Cashu ecash, Liquid and native Nostr identity — privacy-first by design.
44
55
[![License: MIT](https://img.shields.io/badge/License-MIT-orange.svg)](LICENSE)
6-
[![Platform](https://img.shields.io/badge/platform-Linux%20%7C%20Windows-blue)](https://github.com/shadowbipnode/Zap-Browser)
6+
[![Platform](https://img.shields.io/badge/platform-Linux-blue)](https://github.com/shadowbipnode/Zap-Browser)
77
[![Built with Electron](https://img.shields.io/badge/built%20with-Electron%2030-47848F)](https://electronjs.org)
88
[![Nostr](https://img.shields.io/badge/Nostr-NIP--07%20%7C%20NIP--47-purple)](https://nostr.com)
99
[![Bitcoin](https://img.shields.io/badge/Bitcoin-Lightning%20%7C%20Cashu%20%7C%20Liquid-F7931A)](https://bitcoin.org)
@@ -24,6 +24,7 @@ Zap Browser is an open-source desktop browser that unifies a full Chromium brows
2424
| Ad block 106k+ domains ||| Extension | Extension |
2525
| Cosmetic ad filtering 12k rules ||| Extension | Extension |
2626
| Native WebRTC block || Partial | Extension | Extension |
27+
| Private key encrypted at rest |||||
2728
| Bookmarks bar + HTML import |||||
2829
| Clickable history |||||
2930
| No account required |||||
@@ -34,37 +35,81 @@ Zap Browser is an open-source desktop browser that unifies a full Chromium brows
3435

3536
## Features
3637

37-
**Privacy & Security** — EasyList + EasyPrivacy + uBlock Origins parsed into 106,000+ domain block set, updated automatically every 24 hours. 12,000+ cosmetic CSS rules hide ad slots even when the domain can't be blocked. WebRTC disabled at both JS and permission-handler level — verified no-leak on browserleaks.com. User-Agent rotated every session from a pool of real browser strings. Push notifications, geolocation, camera and microphone permissions blocked by default. JS dialogs (alert, confirm, prompt) are currently suppressed as a temporary development simplification. This behavior is not final and will be replaced with a proper, secure and user-controlled dialog system (with per-site permissions) in future releases.
38+
### Privacy & Security
3839

39-
**Lightning (NWC)** — Connect any LND or CLN node via a `nostr+walletconnect://` connection string. Compatible with Alby, Zeus, Mutiny, Breez, Phoenix, LNbits. Communication runs over a real WebSocket to the configured Nostr relay with NIP-47 ECDH encryption. Pay invoices, create invoices, check balance, disconnect — all from inside the browser.
40+
- **106,000+ domain blocklist** — EasyList + EasyPrivacy + uBlock Origins, parsed and applied at the network layer. Updated automatically every 24 hours. No extension required.
41+
- **12,000+ cosmetic CSS rules** — hide ad containers even when the domain is not in the blocklist.
42+
- **WebRTC IP leak prevention** — disabled at both JS override and Electron permission-handler level. Verified no-leak on browserleaks.com.
43+
- **User-Agent rotation** — randomised every session from a pool of real Chrome, Firefox and Safari strings across Linux, Windows and macOS.
44+
- **Permissions blocked by default** — camera, microphone, geolocation, push notifications.
45+
- **Tracking headers stripped**`X-Forwarded-For`, `Via`, `From` removed from every outgoing request.
46+
- **Service Worker cache cleared on startup** — prevents fingerprinting via stale cached assets.
47+
- **No telemetry, no crash reporting, no cloud sync** — SQLite local only.
48+
- **SSL certificates** — standard Chromium validation. Self-signed certs are not silently accepted.
4049

41-
**Cashu Ecash** — Chaumian ecash wallet powered by cashu-ts. The mint cannot link sends to receives. Multi-mint support. Tokens can be created and received offline. No blockchain, no public addresses, no transaction graph.
50+
### Key storage
4251

43-
**Liquid L-BTC** — UI scaffolded for confidential Liquid transactions. BIP39 key derivation in development.
52+
The Nostr private key and BIP39 seed are **encrypted at rest** using AES-256-GCM. The encryption key is stored in the OS keychain (libsecret on Linux, Keychain on macOS) and never written to disk in plaintext. The private key never leaves the Electron main process and is never transmitted over the network.
4453

45-
**Nostr**`window.nostr` injected into every page (NIP-07). Automatic login on Primal, Damus, Snort, Stacker News and any NIP-07 compatible site. Keypair derived deterministically from BIP39 seed via NIP-06. NIP-04 encrypted DMs supported. Visual indicator in toolbar when the current site supports Nostr login. nsec importable at any time from Settings. Private key never leaves the Electron main process — the browser only signs locally and never publishes to relays.
54+
### Lightning (NWC)
4655

47-
**Value4Value** — Detects `<meta name="lightning">` tags. One-click boost payments to creators. Configurable auto-pay (sats per minute while reading).
56+
Connect any LND or CLN node via a `nostr+walletconnect://` connection string. Compatible with Alby, Zeus, Mutiny, Breez, Phoenix, LNbits. Communication runs over a real WebSocket to the configured Nostr relay with NIP-47 ECDH encryption. Pay invoices, create invoices, check balance, disconnect — all from inside the browser.
4857

49-
**Bookmarks & History** — Bookmarks bar below the address bar with overflow dropdown. Import bookmarks from any browser via HTML export (Chrome/Firefox/Edge/Safari). Clickable browsing history grouped by day. Toggle bookmarks bar visibility from Settings.
58+
### Cashu Ecash
59+
60+
Chaumian ecash wallet powered by cashu-ts. Mint tokens directly from a Lightning invoice. Multi-mint support. Receive tokens from other wallets. No blockchain, no public addresses, no transaction graph. The mint cannot link sends to receives.
61+
62+
### Nostr
63+
64+
`window.nostr` injected into every page (NIP-07). Automatic login on Primal, Damus, Snort, Stacker News and any NIP-07 compatible site. Keypair derived deterministically from BIP39 seed via NIP-06. NIP-04 encrypted DMs supported. Visual indicator in toolbar when the current site supports Nostr login. nsec importable at any time from Settings. The browser only signs locally — it never publishes events to relays on its own.
65+
66+
### Value4Value
67+
68+
Detects `<meta name="lightning">` tags. One-click boost payments to creators. Configurable auto-pay (sats per minute while reading).
69+
70+
### Bookmarks & History
71+
72+
Bookmarks bar below the address bar with overflow dropdown. Import bookmarks from any browser via HTML export (Chrome/Firefox/Edge/Safari). Clickable browsing history grouped by day. Toggle bookmarks bar from Settings.
73+
74+
---
75+
76+
## Security notes
77+
78+
The following issues were addressed in v0.3.4 following community feedback:
79+
80+
| Issue | Status |
81+
|-------|--------|
82+
| SSL certificate bypass (accepted any cert including MitM) | **Fixed** — standard Chromium validation |
83+
| `confirm()` forced to return `true` (broke legitimate dialogs) | **Fixed** — browser dialogs work normally |
84+
| Private key stored in plaintext in SQLite | **Fixed** — AES-256-GCM + OS keychain |
85+
| BIP39 seed stored in plaintext in SQLite | **Fixed** — AES-256-GCM + OS keychain |
86+
| Duplicate IPC handler registration | **Fixed** |
87+
| NIP-04 encrypt/decrypt using raw stored bytes instead of decrypted key | **Fixed** |
88+
| No input validation on sensitive IPC channels | **Fixed** — type and format checks added |
89+
| Debug `console.log` with internal data in production build | **Fixed** |
90+
91+
Remaining known limitations (tracked in roadmap):
92+
93+
- JS dialogs (`alert`, `confirm`, `prompt`) are currently suppressed browser-wide. A proper per-site permission system is planned for v0.4.
94+
- Seed encryption uses the OS keychain; on systems without libsecret the fallback is an in-process key (not persisted). Full keychain support across distros is in progress.
5095

5196
---
5297

5398
## Installation
5499

55100
**Debian / Ubuntu**
56101
```bash
57-
sudo dpkg -i zap-browser-0.3.3.deb
102+
sudo dpkg -i zap-browser-0.3.4.deb
58103
```
59104

60105
**RPM (Rocky Linux 9 / Fedora / RHEL)**
61106
```bash
62-
sudo rpm -Uvh --force zap-browser-0.3.3.rpm
107+
sudo rpm -Uvh --force zap-browser-0.3.4.rpm
63108
```
64109

65110
**AppImage (any Linux)**
66111
```bash
67-
chmod +x zap-browser-0.3.3.AppImage && ./zap-browser-0.3.3.AppImage
112+
chmod +x zap-browser-0.3.4.AppImage && ./zap-browser-0.3.4.AppImage
68113
```
69114

70115
**Build from source**
@@ -86,7 +131,7 @@ The onboarding wizard runs once on first launch. Choose between **Bitcoin + Priv
86131

87132
## Connect Your Lightning Node
88133

89-
Open Alby (alby.com), Zeus, or LNbits on your node, go to Connections → NWC → Add new, copy the `nostr+walletconnect://` string, then paste it in the Zap Browser Wallet panel → NWC tab → Connect.
134+
Open Alby, Zeus, or LNbits, go to Connections → NWC → Add new, copy the `nostr+walletconnect://` string, then paste it in Zap Browser Wallet → NWC → Connect.
90135

91136
---
92137

@@ -101,6 +146,7 @@ src/
101146
│ ├── nostr.js — NIP-06 keypair, NIP-07 local signer
102147
│ ├── nwc.js — NWC WebSocket, NIP-47 encrypt/decrypt
103148
│ ├── cashu.js — Cashu ecash wallet (cashu-ts)
149+
│ ├── keychain.js — AES-256-GCM encryption + OS keychain
104150
│ ├── blocklist.js — EasyList/uBlock parser, 106k domain + 12k cosmetic
105151
│ ├── doh.js — DNS over HTTPS
106152
│ └── value4value.js — V4V micropayment detection
@@ -132,6 +178,7 @@ src/
132178
| Nostr | nostr-tools + native NIP-07 signer |
133179
| Ecash | cashu-ts (Cashu protocol) |
134180
| Storage | better-sqlite3 (local, no cloud) |
181+
| Key encryption | AES-256-GCM + libsecret (OS keychain) |
135182
| Ad block | EasyList + EasyPrivacy + uBlock Origins |
136183
| Crypto | @noble/hashes (audited) |
137184

@@ -141,10 +188,10 @@ src/
141188

142189
| Version | Focus |
143190
|---------|-------|
144-
| v0.3.3 (current) | NWC Lightning ✅, Cashu ecash ✅, Bookmarks bar ✅, History ✅, 106k adblock + 12k cosmetic ✅, WebRTC fix|
145-
| v0.4 | L-BTC via libwally, QR codes, LNURL-pay/auth, real DoH at Electron level, proper JS dialog handling (alert/confirm/prompt) |
191+
| v0.3.4 (current) | NWC Lightning ✅, Cashu mint+receive ✅, key encryption at rest ✅, security fixes|
192+
| v0.4 | L-BTC via libwally, QR codes, LNURL-pay/auth, real DoH, per-site JS dialog permissions |
146193
| v0.5 | Canvas fingerprint randomization, encrypted history, proxy HTTP/SOCKS |
147-
| v0.6 | Windows build, optional Tor, Nostr DMs in-browser, Nostr feed on new tab |
194+
| v0.6 | Windows build, optional Tor, Nostr DMs in-browser |
148195
| v0.7 | Chrome extension API subset, themes, Nostr bookmark sync |
149196
| v1.0 | Public release, signed builds, auto-update |
150197

@@ -159,13 +206,13 @@ src/
159206
-**Like the project?** Star the repo — it helps visibility
160207
- 🔧 **Want to contribute?** Priority areas: L-BTC libwally FFI, real DoH, canvas fingerprinting, LNURL flows, QR codes, Tor bundle, Windows build
161208

162-
Priority contribution areas: Cashu-ts real wallet integration, libwally-core FFI for L-BTC, real DoH at Electron level, canvas fingerprinting randomization, LNURL-pay/auth flows, QR code display, Tor binary bundle.
209+
*This is genuinely early — some things are rough. I'd rather ship and learn than wait for perfection.*
163210

164211
---
165212

166213
## Security
167214

168-
The BIP39 seed is never transmitted over the network. The Nostr private key never leaves the Electron main process. The SQLite database is local — no cloud sync, no telemetry, no crash reporting. The browser never publishes events to Nostr relays; it only signs locally on request from web pages. To report a vulnerability: open a private issue on GitHub.
215+
The BIP39 seed and Nostr private key are encrypted at rest with AES-256-GCM. The encryption key lives in the OS keychain and is never written to disk. Neither the seed nor the private key is ever transmitted over the network. The SQLite database is local — no cloud sync, no telemetry, no crash reporting. The browser never publishes events to Nostr relays; it only signs locally on request from web pages. To report a vulnerability: open a private issue on GitHub.
169216

170217
---
171218

0 commit comments

Comments
 (0)